From banks to retailers and universities to hospitals, protecting digital information is a top priority. One of the top seals of approval in the information security profession is the CISSP (Certified Information Systems Security Professional) designation. The CISSP exam, administered by the International Information Systems Security Certification Consortium or ISC2, is recommended for security analysts, managers, auditors, architects, and systems engineers, as well as IT directors and chief information security officers.

To earn the CISSP designation, you must have at least five years of paid full-time work experience in at least two of the eight domains of practice and knowledge covered on the CISSP exam. In some cases, four years of relevant experience is acceptable (e.g., if you hold at least a 4-year college degree or a regional equivalent). Part-time work and internships may also count towards the experience requirement. Candidates without the required experience can become an Associate of ISC2 by passing the exam, giving them six years to earn the experience required.

CISSP Exam Requirements

Regardless of your work history, in order to take the CISSP exam, you’ll also need a clean criminal record. Notably, any background in criminal hacking, even if the incident took place in the past, may impact your eligibility.

CISSP candidates are given a maximum of three hours to complete the 100-150-item English CISSP Computerized Adaptive Testing (CAT) exam, or six hours to complete the 250-item non-English CISSP linear exam. A score of 700 out of 1,000 is considered passing.

The Eight Domains Covered on the CISSP Exam

  • Domain 1: Security and Risk Management (16%)
  • Domain 2: Asset Security (10%)
  • Domain 3: Security Architecture and Engineering (13%)
  • Domain 4: Communication and Network Security (13%)
  • Domain 5: Identity and Access Management (IAM) (13%)
  • Domain 6: Security Assessment and Testing (12%)
  • Domain 7: Security Operations (13%)
  • Domain 8: Software Development Security (10%)

Domain 1: Security and Risk Management

The first content area addresses a broad range of questions related to security and risk management. The questions in this section focus on ethics, compliance, and common security risks, as well as risk monitoring and risk management strategies. Specifically, test takers should be prepared to respond to questions that probe their readiness to:

  • Understand, adhere to, and promote professional ethics, such as the ISC2 Code of Professional Ethics and organizational code of ethics.
  • Understand and apply security concepts including confidentiality, integrity, availability, authenticity, and non-repudiation (5 Pillars of Information Security).
  • Evaluate and apply security governance principles.
  • Understand legal, regulatory, and compliance issues that pertain to information security in a holistic context.
  • Understand requirements for investigation types (administrative, criminal, civil, regulatory, industry standards).
  • Develop, document, and implement security policy, standards, procedures, and guidelines.
  • Identify, analyze, assess, prioritize, and implement Business Continuity (BC) requirements, aligning the security function to business strategy, goals, mission, and objectives.
  • Understand and apply risk management concepts, including threat and vulnerability identification, risk analysis, and assessment.
  • Apply supply chain risk management (SCRM) concepts.
  • Establish and maintain a security awareness, education, and training program.

Domain 2: Asset Security

The second content area focuses on asset security. CISSP candidates must be capable of evaluating how best to handle data and developing policies and procedures to ensure data is secure. As such, questions in this section focus on the collection, handling, and protection of information at all stages of the information lifecycle, classification of information, and ownership issues. To ace this part of the CISSP exam, candidates must be able to demonstrate a capacity to:

  • Identify and classify information and assets.
  • Establish information and asset handling requirements.
  • Provision information and assets securely.
  • Manage the data lifecycle, ensuring appropriate asset retention (e.g., End of Life (EOL), End of Support).
  • Determine data security controls and compliance requirements.

Domain 3: Security Architecture and Engineering

The third content area on the CISSP exam focuses on security engineering. Defined as the practice of building information systems and related architecture that can function even in the face of threats (e.g., hacking, natural disasters, or system failures), security engineering is a key component of information security work. On this part of the CISSP exam, test takers must demonstrate a capacity to:

  • Research, implement, and manage engineering processes using secure design principles.
  • Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula).
  • Select controls based on systems security requirements.
  • Understand security capabilities of Information Systems (IS) such as memory protection, Trusted Platform Module (TPM), and encryption/decryption.
  • Assess and mitigate vulnerabilities in security architectures, designs, and solution elements.
  • Understand methods of cryptanalytic attacks and apply security principles to site and facility design.

Domain 4: Communication and Network Security

CISSP candidates are expected to demonstrate knowledge of network fundamentals (e.g., network topologies and IP addressing) and cryptography. They are also expected to hold the ability to securely operate and maintain network control devices, such as switches and routers. These topics are grouped under Domain 4. Specifically, test takers should be prepared to exhibit the ability to:

  • Apply secure design principles in network architectures.
  • Secure network components.
  • Implement secure communication channels according to design.

Domain 5: Identity and Access Management (IAM)

An obvious way to lower security risks is to carefully manage who has access to sensitive data. Domain 5 focuses on identity and access management issues. More specifically, this domain tests whether CISSP candidates are prepared to:

  • Control physical and logical access to assets.
  • Design identification and authentication strategies for people, devices, and services.
  • Federated identity with a third-party service and implement/manage authorization mechanisms.
  • Manage the identity and access provisioning lifecycle and implement authentication systems.

Domain 6: Security Assessment and Testing

Understanding information assets is a key way to mitigate potential security breaches. For this reason, Domain 6 focuses on assessment and testing. Specifically, this domain tests whether or not candidates can:

  • Design and validate assessment, test, and audit strategies.
  • Conduct security control testing and collect security process data.
  • Analyze test output and generate reports.
  • Conduct or facilitate security audits.

Domain 7: Security Operations

A major focus of the CISSP exam is security operations. This area deals with some of the most common areas of information security practice. In other words, for Domain 7, test takers should be prepared to respond to questions about daily or routine rather than exceptional security operations. Among other areas of knowledge, test takers must be able to demonstrate the ability to:

  • Understand and comply with investigations, conduct logging, and monitoring activities.
  • Perform configuration management (CM), apply foundational security operations concepts, and apply resource protection.
  • Conduct incident management and operate/maintain detection and preventative measures.
  • Implement recovery strategies and participate in Business Continuity (BC) planning and exercises.

Domain 8: Software Development Security

The final domain on the CISSP exam focuses on software development security. Test takers should be prepared to respond to questions that test their knowledge and ability to enforce security controls on any software operating in their organizational environment. Specifically, test takers should demonstrate a capacity to:

  • Understand and integrate security in the Software Development Life Cycle (SDLC).
  • Identify and apply security controls in software development ecosystems.
  • Assess the effectiveness of software security and the security impact of acquired software.
  • Define and apply secure coding guidelines and standards.

Recommended Study Resources

Need some practice before taking the CISSP? Download Pocket Prep’s CISSP exam prep app to study anywhere, anytime on your mobile device. We also highly recommend the following study guides:

Additional Resources

For further information on CISSP experience requirements and how to account for part-time work and internships, visit the ISC2 website. To learn more about CISSP CAT and other exam details, check out the CISSP CAT page.